httpd-dev mailing list archives

------- Forwarded Message
Return-Path: owner-freebsd-hackers@freefall.freebsd.org
Return-Path: owner-freebsd-hackers@freefall.freebsd.org
Received: from mail.webspan.net (mail.webspan.net [206.154.70.7]) by sierra.zyzzyva.com (8.8.4/8.8.2)
with ESMTP id JAA01058 for <randy@zyzzyva.com>; Thu, 19 Dec 1996 09:19:08 -0600 (CST)
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.18])
by mail.webspan.net (8.7.5/8.7.3) with ESMTP id JAA01277;
Thu, 19 Dec 1996 09:03:22 -0500 (EST)
Received: from localhost (daemon@localhost)
by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id FAA22389;
Thu, 19 Dec 1996 05:39:14 -0800 (PST)
Received: (from root@localhost)
by freefall.freebsd.org (8.8.4/8.8.4) id FAA22353
for hackers-outgoing; Thu, 19 Dec 1996 05:37:08 -0800 (PST)
Received: from fang.cs.sunyit.edu (fang.cs.sunyit.edu [192.52.220.66])
by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id FAA22348
for <hackers@freebsd.org>; Thu, 19 Dec 1996 05:37:05 -0800 (PST)
Received: (from chuck@localhost) by fang.cs.sunyit.edu (8.7.6/8.7.3) id IAA20462 for hackers@freebsd.org;
Thu, 19 Dec 1996 08:36:41 -0500 (EST)
Resent-Date: Thu, 19 Dec 1996 08:36:41 -0500 (EST)
Resent-From: Charles Green <green@fang.cs.sunyit.edu>
Resent-Message-Id: <199612191336.IAA20462@fang.cs.sunyit.edu>
X-Mailer: Mail User's Shell (7.2.5 10/14/92)
Resent-To: hackers@freebsd.org
Received: from toad.com (toad.com [140.174.2.1]) by fang.cs.sunyit.edu (8.7.6/8.7.3) with
ESMTP id VAA17725 for <green@fang.cs.sunyit.edu>; Wed, 18 Dec 1996 21:35:41 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by toad.com (8.7.5/8.7.3) with SMTP id RAA08591
for <cypherpunks-announce>; Wed, 18 Dec 1996 17:55:31 -0800 (PST)
Message-Id: <199612190155.RAA08591@toad.com>
X-Authentication-Warning: toad.com: Host localhost [127.0.0.1] didn't use HELO protocol
To: cypherpunks-announce@toad.com
Subject: EFF: Bernstein court declares crypto restrictions unconstitutional
Date: Wed, 18 Dec 1996 17:55:29 -0800
From: John Gilmore <gnu@toad.com>
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk
COURT DECLARES CRYPTO RESTRICTIONS UNCONSTITUTIONAL
Free Speech Trumps Clinton Wiretap Plan
December 18, 1996
Electronic Frontier Foundation Contacts:
Shari Steele, Staff Attorney
301/375-8856, ssteele@eff.org
John Gilmore, Founding Board Member
415/221-6524, gnu@toad.com
Cindy Cohn, McGlashan & Sarrail
415/341-2585, cindy@mcglashan.com
San Francisco - On Monday, Judge Marilyn Hall Patel struck down Cold War
export restrictions on the privacy technology called cryptography. Her
decision knocks out a major part of the Clinton Administration's
effort to force companies to build "wiretap-ready" computers,
set-top boxes, telephones, and consumer electronics.
The decision is a victory for free speech, academic freedom, and the
prevention of crime. American scientists and engineers will now be
free to collaborate with their peers in the United States and in other
countries. This will enable them to build a new generation of tools
for protecting the privacy and security of communications.
The Clinton Administration has been using the export restrictions to goad
companies into building wiretap-ready "key recovery" technology. In a
November Executive Order, President Clinton offered limited
administrative exemptions from these restrictions to companies which
agree to undermine the privacy of their customers. Federal District
Judge Patel's ruling knocks both the carrot and the stick out of
Clinton's hand, because the restrictions were unconstitutional in the
first place.
The Cold War law and regulations at issue in the case prevented
American researchers and companies from exporting cryptographic
software and hardware. Export is normally thought of as the physical
carrying of an object across a national border. However, the
regulations define "export" to include simple publication in the U.S.,
as well as discussions with foreigners inside the U.S. They also define
"software" to include printed English-language descriptions and
diagrams, as well as the traditional machine-readable object code and
human-readable source code.
The secretive National Security Agency has built up an arcane web of
complex and confusing laws, regulations, standards, and secret
interpretations for years. These are used to force, persuade, or
confuse individuals, companies, and government departments into making
it easy for NSA to wiretap and decode all kinds of communications.
Their tendrils reach deep into the White House, into numerous Federal
agencies, and into the Congressional Intelligence Committees. In
recent years this web is unraveling in the face of increasing
visibility, vocal public disagreement with the spy agency's goals,
commercial and political pressure, and judicial scrutiny.
Civil libertarians have long argued that encryption should be widely
deployed on the Internet and throughout society to protect privacy,
prove the authenticity of transactions, and improve computer security.
Industry has argued that the restrictions hobble them in building
secure products, both for U.S. and worldwide use, risking America's
current dominant position in computer technology. Government
officials in the FBI and NSA argue that the technology is too
dangerous to permit citizens to use it, because it provides privacy to
criminals as well as ordinary citizens.
"We're pleased that Judge Patel understands that our national security
requires protecting our basic rights of free speech and privacy," said
John Gilmore, co-founder of the Electronic Frontier Foundation, which
backed the suit. "There's no sense in `burning the Constitution in
order to save it'. The secretive bureaucrats who have restricted these
rights for decades in the name of national security must come to a
larger understanding of how to support and preserve our democracy."
Reactions to the decision
"This is a positive sign in the crypto wars -- the first rational
statement concerning crypto policy to come out of any part of the
government," said Jim Bidzos, President of RSA Data Security, one of
the companies most affected by crypto policy.
"It's nice to see that the executive branch does not get to decide
whether we have the right of free speech," said Philip Zimmermann,
Chairman of PGP, Inc. "It shows that my own common sense
interpretation of the constitution was correct five years ago when I
thought it was safe to publish my own software, PGP. If only US
Customs had seen it that way." Mr. Zimmermann is a civil libertarian
who was investigated by the government under these laws when he wrote
and gave away a program for protecting the privacy of e-mail. His
"Pretty Good Privacy" program is used by human rights activists
worldwide to protect their workers and informants from torture and
murder by their own countries' secret police.
"Judge Patel's decision furthers our efforts to enable secure electronic
commerce," said Asim Abdullah, executive director of CommerceNet.
Jerry Berman, Executive Director of the Center for Democracy and
Technology, a Washington-based Internet advocacy group, hailed the
victory. "The Bernstein ruling illustrates that the Administration
continues to embrace an encryption policy that is not only unwise, but
also unconstitutional. We congratulate Dan Bernstein, the Electronic
Frontier Foundation, and all of the supporters who made this victory
for free speech and privacy on the Internet possible."
"The ability to publish is required in any vibrant academic discipline,"
This ruling re-affirming our obvious academic right will help American
researchers publish without worrying," said Bruce Schneier, author of
the popular textbook _Applied Cryptography_, and a director of the
International Association for Cryptologic Research, a professional
organization of cryptographers.
Kevin McCurley, President of the International Association for
Cryptologic Research, said, "Basic research to further the
understanding of fundamental notions in information should be welcomed
by our society. The expression of such work is closely related to one
of the fundamental values of our society, namely freedom of speech."
Effect of the decision
Judge Patel's decision today only legally applies to Prof. Bernstein.
Other people and companies are still technically required to follow
the export restrictions when speaking or publishing about
cryptography, or when speaking or publishing cryptographic source
code. However, the decision sends a strong signal that if the
government tried to enforce these rules against other people, the
courts are likely to strike them down again.
Judge Patel has specifically not decided whether the export controls
on object code (the executable form of computer programs which source
code is automatically translated into) are constitutional. Existing
export controls will continue to apply to runnable software products,
such as Netscape's broswer, until another court case challenges that
part of the restrictions.
Background on the case
The plaintiff in the case, Daniel J. Bernstein, Research Assistant
Professor at the University of Illinois at Chicago, developed an
"encryption algorithm" (a recipe or set of instructions) that he
wanted to publish in printed journals as well as on the Internet.
Bernstein sued the government, claiming that the government's
requirements that he register as an arms dealer and seek government
permission before publication was a violation of his First Amendment
right of free speech. This is required by the Arms Export Control Act
and its implementing regulations, the International Traffic in Arms
Regulations.
In the first phase of this litigation, the government argued that
since Bernstein's ideas were expressed, in part, in computer language
(source code), they were not protected by the First Amendment. On
April 15, 1996, Judge Patel rejected that argument and held for the
first time that computer source code is protected speech for purposes
of the First Amendment.
Details of Monday's Decision
Judge Patel ruled that the Arms Export Control Act is an
unconstitutional prior restraint on speech, because it requires
Bernstein to submit his ideas about cryptography to the government for
review, to register as an arms dealer, and to apply for and obtain from
the government a license to publish his ideas. Using the Pentagon
Papers case as precedent, she ruled that the government's "interest of
national security alone does not justify a prior restraint." Under the
Constitution, he is now free to publish his ideas without asking the
government's permission first.
Judge Patel also held that the government's required licensing
procedure fails to provide adequate procedural safeguards. When the
Government acts legally to suppress protected speech, it must reduce
the chance of illegal censorship by the bureacrats involved. Her
decision states, "Because the ITAR licensing scheme fails to provide
for a time limit on the licensing decision, for prompt judicial review
and for a duty on the part of the ODTC to go to court and defend a
denial of a license, the ITAR licensing scheme as applied to Category
XIII(b) acts as an unconstitutional prior restraint in violation of the
First Amendment."
She also ruled that the export controls restrict speech based on the
content of the speech, not for any other reason. "Category XIII(b) is
directed very specifically at applied scientific research and speech on
the topic of encryption." The Government had argued that it restricts
the speech because of its function, not its content.
The judge also found that the ITAR is vague, because it does not
adequately define how information that is available to the public
"through fundamental research in science and engineering" is exempt
from the export restrictions. "This subsection ... does not give
people ... a reasonable opportunity to know what is prohibited." The
failure to precisely define what objects and actions are being
regulated creates confusion and a chilling effect. Bernstein has been
unable to publish his encryption algorithm for over three years. Many
other cryptographers and ordinary programmers have also been restrained
from publishing because of the vagueness of the ITAR. Brian
Behlendorf, a maintainer of the popular public domain "Apache" web
server program, stated, "No cryptographic source code was ever
distributed by the Apache project. Despite this, the Apache server
code was deemed by the NSA to violate the ITAR." Judge Patel also
adopted a narrower definition of the term "defense service" in order to
save it from unconstitutional vagueness.
The immediate effect of this decision is that Bernstein now is free to
teach his January 13th cryptography class in his usual way. He can
post his class materials on the Internet, and discuss the upcoming
class's materials with other professors, without being held in
violation of the ITAR. "I'm very pleased," Bernstein said. "Now I
won't have to tell my students to burn their notebooks."
ABOUT THE ATTORNEYS
Lead counsel on the case is Cindy Cohn of the San Mateo law firm of
McGlashan & Sarrail, who is offering her services pro bono. Major
additional pro bono legal assistance is being provided by Lee Tien of
Berkeley; M. Edward Ross of the San Francisco law firm of Steefel,
Levitt & Weiss; James Wheaton and Elizabeth Pritzker of the First
Amendment Project in Oakland; and Robert Corn-Revere of the
Washington, DC, law firm of Hogan & Hartson.
ABOUT THE ELECTRONIC FRONTIER FOUNDATION
The Electronic Frontier Foundation (EFF) is a nonprofit civil
liberties organization working in the public interest to protect
privacy, free expression, and access to online resources and
information. EFF is a primary sponsor of the Bernstein case. EFF
helped to find Bernstein pro bono counsel, is a member of the
Bernstein legal team, and helped collect members of the academic
community and computer industry to support this case.
Full text of the lawsuit and other paperwork filed in the case is
available from EFF's online archives at
http://www.eff.org/pub/EFF/Policy/Crypto/ITAR_export/Bernstein_case/
The full text of Monday's decision will be posted there as soon as
we scan it in.
------- End of Forwarded Message